The issue only comes when a gateway wants to support all sizes of SPIs 0 - 1 - 2 - 3 - 4 bytes - which is very unlikely. For a deterministic lookup, I would suggest using IP addresses and the minimum allowed byted compressed SPI. If you use 2 - 3 bytes, the likelihood of collision might still be very low to support an additional signature check.
Yours, Daniel On Tue, May 24, 2022 at 4:30 PM Robert Moskowitz <rgm-...@htt-consult.com> wrote: > That is the 'easy' part. > > What does the code do when it receives an ESP packet? How do it know that > it is a diet-esp packet and apply the rules? > > Next Header just says: ESP. > > On 5/24/22 16:23, Daniel Migault wrote: > > This is correct. IKEv2 is used both to agree on the use of Diet-ESP as > well as values to be used for the compression/decompression. > > Yours, > Daniel > > On Tue, May 24, 2022 at 11:14 AM Paul Wouters <paul.wouters= > 40aiven...@dmarc.ietf.org> wrote: > >> >> On Sun, May 22, 2022 at 9:20 PM Robert Moskowitz <rgm-...@htt-consult.com> >> wrote: >> >>> I think there is something else I am missing here. >>> >>> How does the receiving system 'know' that the packet is a diet-esp >>> packet? >>> >> >> >> https://datatracker.ietf.org/doc/html/draft-mglt-ipsecme-ikev2-diet-esp-extension-02 >> >> It's negotiated with IKEv2. >> >> I guess the IKE stack has to signal this to the ESP implementation on >> what to expect when >> the policy is installed ? >> >> Paul >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec >> > > > -- > Daniel Migault > Ericsson > > _______________________________________________ > IPsec mailing listIPsec@ietf.orghttps://www.ietf.org/mailman/listinfo/ipsec > > > -- Daniel Migault Ericsson
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec